fix(markdown): decode HTML entities in code blocks and inline code#658
Merged
Conversation
The reporter showed a JSON snippet rendered as
`{ "apiKey": "..." }` inside a code fence — the
model emitted literal HTML entities instead of `"`. marked passes the
entities through verbatim (its tokens carry the raw text, not HTML-
escaped output), and our renderer rightly hands that to the terminal
unchanged. Terminals don't render entities, so they leak as visible
`"` / `&` / `<` etc.
This is a known LLM artifact: models sometimes HTML-escape inside code
blocks, especially on JSON / HTML / XML output, because their training
saw a lot of HTML-encoded code in web posts and docs. Both Claude Code
and Cursor decode entities at the rendering boundary; doing the same
here.
Scope: only code blocks and inline code spans (the contexts where
models leak entities the most). Prose paragraphs are left alone — if
someone genuinely writes "use the `&` entity to escape ampersand"
in non-code text, the entity name stays visible. Numeric forms
(`"` / `"`) and the five common named forms (quot / apos /
amp / lt / gt / nbsp) decode; unknown names pass through so we don't
corrupt prose that quotes entity names.
Closes #657
Merged
ChasLui
pushed a commit
to ChasLui/DeepSeek-Reasonix
that referenced
this pull request
May 23, 2026
…sengine#658) The reporter showed a JSON snippet rendered as `{ "apiKey": "..." }` inside a code fence — the model emitted literal HTML entities instead of `"`. marked passes the entities through verbatim (its tokens carry the raw text, not HTML- escaped output), and our renderer rightly hands that to the terminal unchanged. Terminals don't render entities, so they leak as visible `"` / `&` / `<` etc. This is a known LLM artifact: models sometimes HTML-escape inside code blocks, especially on JSON / HTML / XML output, because their training saw a lot of HTML-encoded code in web posts and docs. Both Claude Code and Cursor decode entities at the rendering boundary; doing the same here. Scope: only code blocks and inline code spans (the contexts where models leak entities the most). Prose paragraphs are left alone — if someone genuinely writes "use the `&` entity to escape ampersand" in non-code text, the entity name stays visible. Numeric forms (`&esengine#34;` / `"`) and the five common named forms (quot / apos / amp / lt / gt / nbsp) decode; unknown names pass through so we don't corrupt prose that quotes entity names. Closes esengine#657
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Reporter showed a JSON snippet rendered as
{ "apiKey": "..." }inside a code fence — the model emitted literal HTML entities instead of".markedpasses the entities through verbatim (its tokens carry raw text, not HTML-escaped output), and our renderer hands that to the terminal unchanged. Terminals don't render entities, so"/&/<leak as visible artifacts.This is a known LLM artifact: models sometimes HTML-escape inside code blocks — especially on JSON / HTML / XML output — because their training data had plenty of HTML-encoded code in web posts and docs. Claude Code and Cursor both decode entities at the rendering boundary; doing the same here.
Scope
src/cli/ui/html-entities.tswithdecodeHtmlEntities()— handles the five common named entities (quot/apos/amp/lt/gt/nbsp) plus numeric forms ("/"). Unknown named entities pass through so prose that quotes entity names by name doesn't get corrupted. Fast-path early-return when no&is present so paragraph text pays nothing.CodeBlocktext andcodespantext in bothmarkdown.tsxandmarkdown-lines.ts.&" working in prose.Closes #657
Test plan
npm run verify— 2601 passed (added 9), 2 skippedtests/html-entities.test.tscovers: no-&fast path, five named entities, → NBSP, decimal + hex numeric (incl. emoji codepoint), unknown-name pass-through, case-insensitivity, malformed&fragments left alone, and the literal real-world JSON pattern from the issue"not"